.webp?width=2169&height=526&name=Compass%20regular%20transparent%20website%20(1).webp "Compass IT Compliance Logo")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
Does SOC 2 Reduce Security Questionnaires, or Just Change Them?
by Derek Boczenowski on May 28, 2026 at 11:00 AM
Every B2B vendor chasing enterprise deals eventually asks the same thing. We are pouring real money and real calendar time into a SOC 2 Type 2 report, so will it actually reduce the security questionnaires we get buried under, or will buyers just keep sending them anyway?
Third Party Administrator (TPA) Risks: IT Security & Compliance Guide
by Kyle Daun on May 27, 2026 at 4:05 PM
%20Risks%20IT%20Security%20%26%20Compliance%20Guide.jpg)
If your organization handles sensitive data and outsources any operational work, there is a good chance a Third Party Administrator (TPA) is somewhere in your environment. Maybe they process claims for your self-funded health plan. Maybe they handle 401(k) recordkeeping. Maybe they ar …
What Are Buyers Actually Looking for in Your SOC 2 Type 2 Report?
by Cera Adams on May 22, 2026 at 12:12 PM
You spent six months getting ready for your SOC 2 Type 2 audit. You collected the evidence. You sat through the walkthroughs. You finally got the report, a polished sixtypage document with an unqualified opinion stamped on the front. Then you sent it to your first enterprise prospect. …
Maintaining Targeted Risk Analysis (TRAs) for PCI DSS Compliance
by Kelly O’Brien on May 19, 2026 at 10:50 AM
%20for%20PCI%20DSS%20Compliance.jpg)
Every organization that processes, stores, or transmits cardholder data is required to protect it. That much is well understood. What is less understood, and where many organizations quietly fall short, is how they justify specific risk-based decisions inside their compliance program. …
How to Reduce CMMC Scope: A Practical Guide for Defense Contractors
by Jake Dwares on May 15, 2026 at 4:37 PM
For defense contractors preparing for Cybersecurity Maturity Model Certification (CMMC), scope is the single biggest lever you have over cost, timeline, and audit complexity. The smaller and more clearly defined your scope, the fewer systems your assessor has to evaluate, the fewer co …
PCI Compliance for Small Business: A QSA's Field Guide to PCI DSS
by Derek Boczenowski on May 14, 2026 at 3:32 PM
If you run a small business that accepts credit cards, the words "PCI compliance" probably land somewhere between mildly stressful and outright intimidating. I get it. I have spent years walking small merchants through the Payment Card Industry Data Security Standard (PCI DSS), and th …
Canvas Breach: What It Means for Schools & FERPA Compliance
by Jesse Roberts on May 8, 2026 at 1:32 PM
When the Canvas login page was replaced with a ransom note on the morning of May 7, 2026, it did not look like a typical edtech outage. Students at Harvard, the University of Michigan, Duke, the University of Maryland, and thousands of other institutions opened their laptops in the mi …
How to Become a vCISO: The Skills That Set Great Ones Apart
by Jeffrey Torrance on May 6, 2026 at 4:30 PM
At Compass IT Compliance, we run one of the more established virtual CISO practices in the country. That vantage point has given us a clear view of the capabilities that consistently define the strongest vCISOs working in the field today. The skills are not always the ones aspiring vC …
CMMC Assessments in Higher Education: What Campus Leaders Are Saying
by Alexander Magid on May 5, 2026 at 3:33 PM
I just got back from the EDUCAUSE Cybersecurity and Privacy Professionals Conference in Anaheim last week, and I came home with a notebook full of conversations that I think a lot of provosts, CIOs, and CISOs need to hear. The hallway talk between sessions, the candid moments over cof …